b'                                  AUDIT OF SBA\xe2\x80\x99S UNIX\n\n                                  OPERATING SYSTEMS\n\n                             AUDIT REPORT NUMBER 1-21\n\n                                   SEPTEMBER 28, 2001\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18 USC 1905 and\nmust not be released to the public or another agency without permission of the Office of\nInspector General.\n\x0c                        U.S. SMALL BUSINESS ADMINISTRATION\n                            OFFICE OF INSPECTOR GENERAL\n                                WASHINGTON, D.C. 20416\n\n\n                                                                    AUDIT REPORT\n                                                             Issue Date: September 28, 2001\n                                                             Number: 1-21\n\n\nTo:            Lawrence E. Barrett, Chief Information Officer\n\n\n\n\nSubject:       Audit of SBA\xe2\x80\x99s UNIX Operating Systems\n\n        We completed an audit of the Sun Solaris UNIX computer operating systems on [FOIA\nEx. 2] servers that host SBA\xe2\x80\x99s client/server1 computer applications. We concluded that security\nover the UNIX servers was not adequate to protect or detect unauthorized access to Agency\nprograms or data. During our audit, the OCIO corrected many of the configuration and access\ncontrol issues. Our recommendations are focused on correcting those issues that remain to\nensure the security over the UNIX operating systems.\n\n\n                                        BACKGROUND\n\n       SBA\xe2\x80\x99s Office of the Chief Information Officer (OCIO) has [Ex. 2] servers with UNIX\noperating systems that operate [FOIA Ex. 2] client/server based computer applications. The\napplications include the Surety Bond Guarantee/Preferred Surety Bond System, Field Cashiering\nSystem and Asset Sales System. [FOIA Ex. 2].\n\n       When configured properly, the UNIX operating system can protect data and programs\nfrom unauthorized use. This is done primarily by requiring users to authenticate themselves\n\n1\n Client/server is defined by TechWeb encyclopedia as a computer architecture in which the\nuser\'s PC (the client) is the requesting computer and the server is the supplying computer, both of\nwhich are connected via a local area network or wide area network. In client/server, the client\nprocesses the user interface (Windows, Mac, etc.) and can perform some or all of the application\nprocessing. Servers range in capacity from high-end PCs to mainframes. A database server\nmaintains the databases and processes requests from the client to extract data from or to update\nthe database. An application server provides additional business processing for the clients.\n\x0cwhen logging on with both a user identifier (user ID) and a password. After recognizing a user,\nUNIX restricts the user\xe2\x80\x99s access to data and programs according to permission previously\ngranted by owners of the data and programs. UNIX has a \xe2\x80\x9csuperuser\xe2\x80\x9d account that, by\nconvention, has the username \xe2\x80\x9croot.\xe2\x80\x9d This account has unrestricted access to the entire system,\nincluding all data and all programs. Access to root is controlled by a password that must be\ncarefully protected in order to secure data and programs from unauthorized access, use,\nalteration, or destruction.\n\n\n                      OBJECTIVES, SCOPE AND METHODOLOGY\n\n       The objectives of the audit were to determine whether the security settings and\noperational controls for the UNIX operating systems were adequate to prevent or detect\nunauthorized access to programs and data. We also assessed compliance with applicable\nprovisions of OMB Circular A-130, Appendix III, \xe2\x80\x9cManagement of Federal Information\nResources,\xe2\x80\x9d and SBA\xe2\x80\x99s Standard Operating Procedure (SOP) 90-47, \xe2\x80\x9cAutomated Information\nSystems Security.\xe2\x80\x9d\n\n        The scope of the audit was the 13 UNIX servers that provide the development, test and\nproduction environments for SBA\xe2\x80\x99s client/server applications. The [Ex. 2] UNIX servers that\nare dedicated to the operation of web server software were not within the scope of this audit. We\nran diagnostic and security programs on the UNIX servers and interviewed appropriate SBA\npersonnel at SBA\xe2\x80\x99s Central Office in Washington, DC between December 2000 and March\n2001. We performed our audit in accordance with Government Auditing Standards.\n\n\n                                      AUDIT RESULTS\n\n        We concluded that the security settings and operational controls over the UNIX operating\nsystems were not adequate to prevent or detect unauthorized access to programs and data, and\ndid not comply with Federal and Agency information security requirements in OMB Circular A-\n130 and SBA SOP 90-47. As a result, there was an increased risk of unauthorized modification,\nloss and disclosure of data and programs. This risk is somewhat mitigated due to the fact that\nthere are only about 45 authorized users who can log into the UNIX operating system directly.\nAdditionally, the OCIO corrected many of the configuration and access control issues during the\naudit. Our recommendations are focused on correcting those issues that remain to ensure the\nsecurity over the UNIX operating systems.\n\n\nFinding 1: Identification And Authentication Controls Were Not Adequate To Prevent Or\n           Detect Unauthorized Access\n\n        Identification and authentication controls (user IDs and passwords) were not properly\nimplemented to prevent or detect unauthorized access to the UNIX operating systems. This\noccurred because OCIO had not coordinated the overall installation and configuration of the\nservers to ensure they posed no security risk. Additionally, the UNIX computer operator who\n\n\n\n                                               2\n\x0chad operational security responsibilities was not trained in and aware of Agency security\nrequirements. As a result, there was increased risk of unauthorized activities occurring and not\nbeing detected.\n\n        OMB Circular A-130 requires that agencies ensure that information is protected\ncommensurate with the risk and magnitude of the harm that would result from the loss, misuse,\nor unauthorized access to or modification of such information. In addition, SOP 90-47 requires\nthat operating system software contain adequate security controls to minimize the likelihood of\nunauthorized access to or use of system resources. The SOP further requires the OCIO to\ncoordinate the installation and configuration of the system(s) to ensure that they pose no security\nrisk.\n\n        The specific aspects of non-conformance with OMB Circular A-130 and SOP 90-47 for\nidentification and authentication controls are noted below.\n\nThe password for the root ID had not been changed in the appropriate timeframe\n\n         The password for the root ID had not been changed in five months. During that time, two\nindividuals who knew the password for the root ID had retired. Additionally, both of these\nindividuals had active accounts on the firewall and could dial into the UNIX systems remotely.\nThis occurred because the UNIX administrator was not aware of the Agency security\nrequirements in the SOP including the requirement to change the password for the root ID. As a\nresult, unauthorized accesses could have occurred and gone undetected.\n\n         SOP 90-47 requires that passwords for root IDs on UNIX operating systems be changed\nat least once every two months. Passwords should be changed more frequently as conditions\nwarrant.\n\n       During the audit, the UNIX computer operator changed the password for root and agreed\nto change it every two months, or more frequently as conditions warrant.\n\nSome passwords were blank or easily guessed\n\n        Using a password \xe2\x80\x9ccracker\xe2\x80\x9d freely available on the Internet, we identified 57 passwords\nbeing utilized by 26 user IDs that did not comply with SBA security requirements for password\nlength and complexity. As a result, a user could more easily masquerade as someone else and\nmake unauthorized changes to SBA client/server applications.\n\n        SOP 90-47 requires that passwords must be at least eight characters in length, not be\neasily guessed combinations, e.g., all zeros, dashes, etc, and not be the same as the user ID.\n\n       Some of the inappropriate passwords we identified were as follows:\n\n       \xe2\x80\xa2    Thirty-two passwords were substantially the names of the products or utilities\n            supported by the users of those products, e.g., [FOIA Ex. 2]\n\n\n\n\n                                                 3\n\x0c       \xe2\x80\xa2    Eleven passwords were the initial password given to the user. Those passwords had\n            not been changed.\n\n       \xe2\x80\xa2    Four passwords were blank. Any individual who knew the user ID for those four\n            accounts could have signed on to the systems as those IDs.\n\n       \xe2\x80\xa2    Ten passwords did not comply with agency regulations regarding password length\n            and complexity.\n\nNumerous user IDs were for personnel who were not currently employed\n\n       Thirteen of the 60 existing user IDs were for personnel who were no longer SBA\nemployees or contractors. Six of these 13 IDs had active accounts on the SBA firewall and could\nbe used to dial into the UNIX servers remotely. As a result, there is no guarantee that these IDs\nwere not used for an inappropriate purpose. Additionally, there is no ability to ascertain if other\nindividuals accessed the programs and capabilities of the departed employees or contractors and\nmade unauthorized changes to programs or data.\n\n        SOP 90-47 requires that accounts will be suspended as quickly as possible, but no more\nthan three working days from the time the user is no longer authorized access to the computer\ninstallation or computer application.\n\n       During the audit, all non-current user IDs were suspended in UNIX and on the firewall as\nsoon as it was determined that these IDs were for individuals who no longer worked for SBA.\n\nAutomated password controls were not enabled within UNIX\n\n        Automated controls within UNIX over password settings were not enabled to ensure\nsecurity and integrity of the operating system. This occurred because the UNIX operator had not\nactivated the UNIX Administrative Tool features that would enforce password change\nrequirements and user ID suspension called for in SBA SOP 90-47. Additionally, the OCIO had\nnot ensured that the controls called for in the SOP would be included in the system\nconfiguration. As a result, aspects of the previous two security weaknesses, easily guessed\npasswords and user IDs existing for non-current SBA personnel, were not automatically\ncorrected within the system.\n\n         SOP 90-47 specifies the following controls relating to password administration: (1) the\ninitial password or a reissued password will be replaced and not reissued, (2) users must be able\nto change their own passwords and passwords must be set to automatically expire every 90 days,\nand (3) inactive accounts must be suspended after 120 days of inactivity.\n\n        During the audit, the computer operator tested the UNIX Administrative Tool features\nwith his own ID and found that the warning message that a password was about to expire did not\n\n\n\n\n                                                4\n\x0cwork with the agency\xe2\x80\x99s client front-end security software.2 Therefore, the system would not\nwarn users that their passwords were about to expire. Procedures should, therefore, be\ndeveloped to notify users that their passwords are about to expire at the 90-day interval as\nrequired by SOP 90-47.\n\nRecommendations:\n\n         We recommend that the Chief Information Officer:\n\n1A.      Ensure that the UNIX computer operators who have operational responsibility for\n         maintaining security for the UNIX systems are trained in agency computer security\n         requirements.\n\n1B.      Ensure that the password for the root ID is changed every two months or more frequently\n         as circumstances warrant.\n\n1C.      Adopt password maintenance procedures to ensure that the initially assigned passwords\n         for the UNIX systems are changed within a reasonable time frame (three to five\n         workdays) and suspend IDs that are not initially used within 5 days.\n\n1D.      Enable security features within the UNIX Administrative Tools to comply with SOP\n         90-47 regarding forcing the expiration of passwords every 90 days and forcing inactive\n         accounts to be suspended after 120 days of inactivity.\n\n1E.      Develop procedures to monitor passwords for SBA general support systems on a periodic\n         basis to ensure compliance with SOP 90-47.\n\n1F.      Establish procedures to review the access control lists for the UNIX systems and the\n         firewall and purge the systems of user IDs that are no longer needed.\n\nSBA Management\xe2\x80\x99s Response:\n\n         The Chief Information Officer agreed with the finding and recommendations.\n\n\nFinding 2: Remote Login Was Enabled On the Main UNIX Server Making It Easier To\n           Penetrate The System\n\n        Enabling the remote login setting (rlogin) within UNIX allowed access to the main UNIX\nserver by means other than approved front-end software. As a result, potential unauthorized\naccess to the server could occur and go undetected.\n\n\n\n2\n  The approved client front-end security software (1) prevents direct login to the system with the Root ID, (2) limits\nthe number of unsuccessful login attempts, and (3) encrypts communications between the client and server\ncomputers.\n\n\n                                                          5\n\x0c         SBA SOP 90-47 requires that users access client servers through client, front-end\nsoftware provided and approved by the OCIO. Other access methods are prohibited. When\nenabled, remote login allows for access to the server without using the client, front-end software\napproved by the OCIO. When remote login was made known to the UNIX computer operator,\nthe setting was immediately disabled.\n\nRecommendation:\n\n2A.    We recommend that the Chief Information Officer periodically review the appropriate\n       UNIX configuration files and ensure that sensitive system privileges and capabilities are\n       set to SBA approved settings for all UNIX servers.\n\nSBA Management\xe2\x80\x99s Response:\n\n       The Chief Information Officer agreed with the finding and recommendation.\n\n\nFinding 3: The UNIX Servers Did Not Have Appropriate Management Controls as\n           Prescribed for General Support Systems\n\n        The UNIX servers processing client/server applications did not have an adequate security\nplan, an individual formally assigned security duties and authorization to process information as\nprescribed for general support systems as per OMB Circular A-130. As a result, the UNIX\nservers did not have the underlying security foundation work needed to identify the security\nweaknesses that had been noted in this report.\n\n        SBA had included the UNIX Servers in a different security plan and accreditation\npackage. The other security plan covered other SBA systems, but did not address the major\napplications that process on the UNIX servers, nor the protection and security requirements for\nthe 40 plus users of the system. The security plan also did not specifically designate the\nresponsible security official for the UNIX servers. Since the UNIX servers processing\nclient/server applications are a separate general support system, there was not a correct\nauthorization to process information on the UNIX servers.\n\nRecommendations:\n\n       We recommend that the Chief Information Officer:\n\n3A.    Create the required security plan and documentation for the UNIX servers as separate\n       general support systems processing major applications.\n\n3B.    Formally assign security duties for the UNIX systems to an appropriate individual.\n\n3C.    Approve or authorize the UNIX systems to operate as separate general support systems\n       processing major applications.\n\n\n\n\n                                                6\n\x0cSBA Management\xe2\x80\x99s Response:\n\n       The Chief Information Officer agreed with the finding and recommendations.\n\n\nFinding 4: UNIX Operating System Patches Were Not Up-To-Date\n\n       The UNIX servers had not been kept up-to-date with the latest security patches and\nrecommended configuration settings as provided by the manufacturer. As a result, the servers\nmay have been more vulnerable than what would have occurred if the systems had been patched\nas recommended by the manufacturer.\n\n       OMB Circular A-130 provides that "adequate security" means security commensurate\nwith the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access\nto or modification of information. This includes assuring that systems and applications used by\nthe agency operate effectively and provide appropriate confidentiality, integrity, and availability,\nthrough the use of cost-effective management, personnel, operational, and technical controls.\nSince Sun Solaris UNIX patches come free with the systems, implementing these patches\nprovides cost-effective security products and techniques.\n\n        During the audit, a program from the manufacturer was run that analyzed the current\npatch level on three of the [Ex. 2] UNIX platforms. The tool identified many security and\noperational patches that had not been installed. According to computer operator staff, this was\ndue to the philosophy that patches would be installed only if there was a compelling need for\nthem (security or issues that directly affected the applications and [Ex. 2]. As the audit\nprogressed, the computer operator updated one of the test environments with the manufacturers\nrecommended \xe2\x80\x9cbundle patch\xe2\x80\x9d (a collection of all current patches for the system). The bundle\npatch had not encountered any problems in the test environment and the computer operator was\nawaiting approval to install the bundle patch on the remaining servers.\n\n        During the audit, a program from the manufacturer was also run that determined whether\ncertain system configuration settings were optimized for secure operations. The manufacturer\nhad identified potential weaknesses to the default settings for UNIX and recommended installing\na program to update the operating system each time the system is restarted. As the audit\nprogressed, the UNIX computer operator modified the operating system to update the system\nconfiguration file on all [Ex. 2] UNIX servers during system restarts.\n\nRecommendation:\n\n4A.    We recommend that the Chief Information Officer review the UNIX servers and\n       implement appropriate patches on all servers. Additionally, we recommend that in the\n       future OCIO develop procedures to review the servers and verify that all appropriate\n       patches are timely installed.\n\n\n\n\n                                                 7\n\x0cSBA Management\xe2\x80\x99s Response:\n\n        The Chief Information Officer agreed that security patches for the [Ex. 2] servers were\nnot always up to date. He was concerned, however, that implementing a bundle patch on the\nUNIX servers could cause unintended consequences to the operational environments. Certain\npatches may not work correctly with SBA installed programs or utilities. The CIO agreed to\nreview the current patch configuration for the UNIX servers to ensure that all necessary patches\nare currently installed. Additionally, the OCIO will develop procedures to periodically review\nthe patch configuration levels to ensure that all future patches are timely installed on SBA\nsystems.\n\nOIG Evaluation of Management\xe2\x80\x99s Response:\n\n      We agree with the Chief Information Officer\xe2\x80\x99s comments and have modified the\nrecommendation accordingly.\n\n\nFinding 5:     Monitoring \xe2\x80\x9cSwitch-user\xe2\x80\x9d Logs\n\n        UNIX has a switch-user command (SU) that allows a user, who is logged on to the\nsystem, to log in again under another ID (account). When outside of the console room, secure\nfront-end software is configured to require logging (recording) of user attempts to switch-user.\nThus all logins through the switch-user command are recorded (logged) in a switch-user file.\nThis file (log) should be reviewed periodically by appropriate personnel to identify unauthorized\nuser attempts to switch to root or other highly privileged user IDs.\n\n        The groups at OCIO that should have monitored the switch-user logs for suspicious\nbehavior did not review those logs and validate appropriate login attempts. This occurred\nbecause the logs for the command were periodically monitored by the UNIX computer operators,\nbut not shared with the DBMS programming group and the OCIO Security group. As a result,\nthere was no oversight by the groups who would be most interested in users logging into the\nservers with IDs that those individuals were not authorized to use.\n\nRecommendation:\n\n5A.    We recommend that the Chief Information Officer create copies of the switch-user logs\n       and have those logs reviewed weekly by the DBMS Team Leader and the OCIO Security\n       group. The DBMS Team Leader and OCIO Security should review and validate the\n       appropriateness of the logins using the switch-user logs.\n\nSBA Management\xe2\x80\x99s Response:\n\n       The Chief Information Officer agreed with the finding and recommendation.\n\n\n                                             ***\n\n                                                8\n\x0c       The findings included in this report are the conclusions of the Office of Inspector\nGeneral\xe2\x80\x99s Auditing Division. The findings and recommendations are subject to review,\nmanagement decision, and corrective action by your office in accordance with existing Agency\nprocedures for audit follow-up and resolution.\n\n        Please provide us your management decision for each recommendation within 30 days.\nYour management decisions should be recorded on the attached SBA Forms 1824,\n\xe2\x80\x9cRecommendation Action Sheet,\xe2\x80\x9d and show either your proposed corrective action and target\ndate for completion, or explanation of your disagreement with our recommendations.\n\n       This report may contain proprietary information subject to the provisions of\n18 USC 1905. Do not release to the public or another agency without permission of the Office\nof Inspector General.\n\n       Should you or your staff have any questions, please contact Robert G. Hultberg, Director,\nBusiness Development Programs Group at (202) 205-7577.\n\nAttachment\n\n\n\n\n                                               9\n\x0c                                                                                                                        Attachment 1\n\n\n                                                 REPORT DISTRIBUTION\n\n\n\nRecipient                                                                                         Number of Copies\n\nAssociate Deputy Administrator for Management and Administration ........................ 1\n\nGeneral Counsel ............................................................................................................ 2\n\nGeneral Accounting Office ............................................................................................ 1\n\nChief Financial Officer ................................................................................................. 1\nAttention: Jeff Brown\n\x0c'